TW201626235A - An integrated circuit and method for detection of malicious code in a first level instruction cache - Google Patents

An integrated circuit and method for detection of malicious code in a first level instruction cache Download PDF

Info

Publication number
TW201626235A
TW201626235A TW104128496A TW104128496A TW201626235A TW 201626235 A TW201626235 A TW 201626235A TW 104128496 A TW104128496 A TW 104128496A TW 104128496 A TW104128496 A TW 104128496A TW 201626235 A TW201626235 A TW 201626235A
Authority
TW
Taiwan
Prior art keywords
cache
storage capacity
order
internal loop
instruction cache
Prior art date
Application number
TW104128496A
Other languages
Chinese (zh)
Other versions
TWI680371B (en
Inventor
伯喬恩 馬克思 賈可布森
Original Assignee
高通公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 高通公司 filed Critical 高通公司
Publication of TW201626235A publication Critical patent/TW201626235A/en
Application granted granted Critical
Publication of TWI680371B publication Critical patent/TWI680371B/en

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/0802Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches
    • G06F12/0806Multiuser, multiprocessor or multiprocessing cache systems
    • G06F12/0811Multiuser, multiprocessor or multiprocessing cache systems with multilevel cache hierarchies
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/0802Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches
    • G06F12/0875Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches with dedicated cache, e.g. instruction or stack
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/02Addressing or allocation; Relocation
    • G06F12/08Addressing or allocation; Relocation in hierarchically structured memory systems, e.g. virtual memory systems
    • G06F12/0802Addressing of a memory level in which the access to the desired data or data block requires associative addressing means, e.g. caches
    • G06F12/0893Caches characterised by their organisation or structure
    • G06F12/0897Caches characterised by their organisation or structure with two or more cache hierarchy levels
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F12/00Accessing, addressing or allocating within memory systems or architectures
    • G06F12/14Protection against unauthorised use of memory or access to memory
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/562Static detection
    • G06F21/563Static detection by source code analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2212/00Indexing scheme relating to accessing, addressing or allocation within memory systems or architectures
    • G06F2212/10Providing a specific technical effect
    • G06F2212/1052Security improvement
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/03Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
    • G06F2221/033Test or assess software

Abstract

An integrated circuit may comprise a processor, a first level instruction cache having a first storage capacity, and a second level cache having a second storage capacity that is larger than the first storage capacity. The first level instruction cache is configured to store a subset of instructions stored in the second level cache. The second level cache is configured to store a subset of data and instructions stored in an external memory. The processor executes an inner loop of a detection routine and monitors an execution time of the inner loop to detect malicious code in the first level instruction cache. A total number of detection routine instructions is larger than the first storage capacity. The inner loop requires fetching of detection routine instructions from the second level cache, and an execution number of instructions executed during execution of the inner loop is smaller than the first storage capacity.

Description

用於偵測在第一階指令快取中之惡意碼之積體電路及方法 Integrated circuit and method for detecting malicious code in first-order instruction cache 對相關申請案之交叉參考Cross-reference to related applications

本申請案主張2014年9月22日向美國專利局申請的美國非臨時申請案第14/493,306號之優先權及權利,該申請案之全部內容以引用的方式併入本文中。 The present application claims priority to and the benefit of U.S. Patent Application Serial No. 14/493,306, filed on Sep.

本發明大體上係關於偵測與不快取攻擊相關聯之惡意碼。 The present invention is generally directed to detecting malicious code associated with a no-fetch attack.

許多計算環境包括直接自RAM提取一或多個指令之指令。此等指令不儲存於第二階(L2)快取中,而替代地直接被複製至較小且較快的一階(L1)指令快取中。通常,繞過L2快取為善意操作。然而,在不存取L2快取的情況下執行程式碼之能力可允許敵人用不使用L2快取之惡意/損毀碼替換使用L2快取之無害碼而此替換不被發現。舉例而言,若整個惡意碼適配於L1快取中,則惡意碼可隱藏其存在而不被掃描/偵測軟體發現。 Many computing environments include instructions to extract one or more instructions directly from RAM. These instructions are not stored in the second order (L2) cache, but instead are copied directly into the smaller and faster first order (L1) instruction cache. Usually, bypass L2 cache for good faith operation. However, the ability to execute code without accessing the L2 cache allows the enemy to replace the harmless code using the L2 cache with a malicious/damage code that does not use L2 cache and this replacement is not found. For example, if the entire malicious code is adapted to the L1 cache, the malicious code can hide its presence without being detected by the scanning/detecting software.

因此,需要偵測隱藏於第一階指令快取中之惡意碼的能力。 Therefore, the ability to detect malicious code hidden in the first-order instruction cache is required.

本發明之一態樣可駐留於一種積體電路中,其包含:一處理器;一第一階指令快取,其具有一第一儲存容量;及一第二階快取,其具 有大於該第一儲存容量之一第二儲存容量。該第一階指令快取耦接於該處理器與該第二階快取之間,且經組態以儲存該第二階快取中所儲存之指令的一子集。該第二階快取耦接於該第一階指令快取與一外部記憶體之間,且經組態以儲存該外部記憶體中所儲存之資料及指令的一子集。該處理器經組態以執行一偵測常式之一內部迴圈,且監視該內部迴圈之一執行時間以偵測該第一階指令快取中之惡意碼。偵測常式指令之總數大於該第一儲存容量。在執行期間,該內部迴圈需要自該第二階快取提取偵測常式指令,且在該內部迴圈之執行期間執行的指令之執行數目小於該第一儲存容量。 An aspect of the present invention can reside in an integrated circuit, comprising: a processor; a first order instruction cache having a first storage capacity; and a second order cache, There is a second storage capacity greater than one of the first storage capacities. The first order instruction cache is coupled between the processor and the second stage cache and configured to store a subset of the instructions stored in the second stage cache. The second stage cache is coupled between the first order instruction cache and an external memory, and configured to store a subset of the data and instructions stored in the external memory. The processor is configured to perform an internal loop of one of the detection routines and monitor an execution time of the internal loop to detect a malicious code in the first order instruction cache. The total number of detected routine commands is greater than the first storage capacity. During execution, the internal loop needs to extract the detection routine instruction from the second-order cache, and the number of executions of the instructions executed during execution of the internal loop is less than the first storage capacity.

在本發明之更詳細態樣中,該執行數目可顯著小於該第一儲存容量。該等偵測常式指令可包含一系列類似函式,且該系列類似函式中之至少兩個函式可為不同的。在執行期間,該偵測常式之該內部迴圈可包括基於在該偵測常式之該執行之前未知的至少一個選擇輸入對至少一個偵測常式指令之選擇。 In a more detailed aspect of the invention, the number of executions can be significantly less than the first storage capacity. The detection routine instructions may comprise a series of similar functions, and at least two of the series of similar functions may be different. During execution, the internal loop of the detection routine may include a selection of at least one detection routine command based on at least one selection input that is unknown prior to the execution of the detection routine.

本發明之另一態樣可駐留於一種方法中,其包含:藉由一處理器執行一偵測常式之一內部迴圈,其中偵測常式指令之總數大於一第一階指令快取之一第一儲存容量;及在該內部迴圈正執行時自具有一第二儲存容量之一第二階快取提取偵測常式指令,該第二階快取用於儲存一外部記憶體中所儲存之資料及指令的一子集,其中在該內部迴圈之執行期間執行的指令之執行數目小於該第一儲存容量;且藉由該處理器監視該內部迴圈之執行時間以偵測該第一階指令快取中之惡意碼。 Another aspect of the present invention can reside in a method, including: performing, by a processor, an internal loop of a detection routine, wherein the total number of detected routine instructions is greater than a first order instruction cache a first storage capacity; and a second-order cache extraction detection routine command having a second storage capacity when the internal loop is being executed, the second-order cache being used to store an external memory a subset of the data and instructions stored in the execution, wherein the number of executions of the instructions executed during execution of the internal loop is less than the first storage capacity; and the execution time of the internal loop is monitored by the processor to detect The malicious code in the first-order instruction cache is measured.

本發明之另一態樣可駐留於一種積體電路中,其包含:用於執行一偵測常式之一內部迴圈的構件,其中偵測常式指令之總數大於一第一階指令快取之一第一儲存容量;用於在該內部迴圈正執行時自具有一第二儲存容量之一第二階快取提取偵測常式指令的構件,該第二階 快取用於儲存一外部記憶體中所儲存之資料及指令的一子集,其中在該內部迴圈之執行期間執行的指令之執行數目小於該第一儲存容量;及用於監視該內部迴圈之一執行時間以偵測該第一階指令快取中之惡意碼的構件。 Another aspect of the present invention can reside in an integrated circuit, comprising: means for performing an internal loop of one of the detection routines, wherein the total number of detection routine instructions is greater than a first order instruction Taking a first storage capacity; for extracting a detection routine command from a second-order cache having a second storage capacity while the internal loop is being executed, the second order Cache for storing a subset of data and instructions stored in an external memory, wherein the number of executions of instructions executed during execution of the internal loop is less than the first storage capacity; and for monitoring the internal back One of the loop execution times to detect the artifact of the malicious code in the first-order instruction cache.

本發明之另一態樣可駐留於一種電腦程式產品中,其包含:電腦可讀媒體,其包含:用於使一電腦執行一偵測常式之一內部迴圈的程式碼,其中偵測常式指令之總數大於一第一階指令快取之一第一儲存容量,其中在執行期間該內部迴圈需要自具有一第二儲存容量之一第二階快取提取偵測常式指令,該第二階快取用於儲存一外部記憶體中所儲存之資料及指令的一子集,且其中在該內部迴圈之執行期間執行的指令之執行數目小於該第一儲存容量;及用於使該電腦監視該內部迴圈之一執行時間以偵測該第一階指令快取中之惡意碼的程式碼。 Another aspect of the present invention can reside in a computer program product, comprising: a computer readable medium, comprising: a code for causing a computer to perform an internal loop of a detection routine, wherein the detection The total number of the normal instructions is greater than the first storage capacity of the first order instruction cache, wherein during the execution period, the internal loop needs to extract the detection routine command from the second order cache having a second storage capacity. The second stage cache is configured to store a subset of data and instructions stored in an external memory, and wherein the number of executions of instructions executed during execution of the internal loop is less than the first storage capacity; The computer is configured to monitor an execution time of the internal loop to detect a code of the malicious code in the first-order instruction cache.

100‧‧‧無線通信系統 100‧‧‧Wireless communication system

102‧‧‧無線遠端台(RS) 102‧‧‧Wireless Remote Station (RS)

104‧‧‧基地台 104‧‧‧Base station

106‧‧‧基地台控制器(BSC) 106‧‧‧Base Station Controller (BSC)

108‧‧‧核心網路 108‧‧‧core network

110‧‧‧網際網路 110‧‧‧Internet

112‧‧‧公眾交換電話網路(PSTN) 112‧‧‧Public Exchange Telephone Network (PSTN)

210‧‧‧積體電路 210‧‧‧ integrated circuit

220‧‧‧處理器/構件 220‧‧‧Processors/components

230‧‧‧第一階指令快取 230‧‧‧first order instruction cache

240‧‧‧第二階快取 240‧‧‧second-order cache

250‧‧‧外部記憶體/電腦可讀媒體 250‧‧‧External memory/computer readable media

260‧‧‧L1資料快取 260‧‧‧L1 data cache

300‧‧‧偵測常式 300‧‧‧Detective routine

310‧‧‧內部迴圈 310‧‧‧Internal loop

350‧‧‧6位元組 350‧‧6 bytes

360‧‧‧6位元組 360‧‧6 bytes

370‧‧‧跳轉 370‧‧‧ Jump

400‧‧‧用於偵測第一階指令快取中之惡意碼的方法 400‧‧‧Method for detecting malicious code in the first-order instruction cache

500‧‧‧電腦 500‧‧‧ computer

510‧‧‧處理器/構件 510‧‧‧Processor/component

520‧‧‧儲存媒體/電腦可讀媒體 520‧‧‧Storage media/computer readable media

530‧‧‧顯示器 530‧‧‧ display

540‧‧‧輸入裝置 540‧‧‧Input device

550‧‧‧無線連接 550‧‧‧Wireless connection

圖1為無線通信系統之實例的方塊圖。 1 is a block diagram of an example of a wireless communication system.

圖2為根據本發明之態樣的用於實施用於偵測第一階指令快取中之惡意碼之技術的積體電路之方塊圖。 2 is a block diagram of an integrated circuit for implementing a technique for detecting a malicious code in a first order instruction cache in accordance with an aspect of the present invention.

圖3為根據本發明之態樣的偵測常式之流程圖。 3 is a flow chart of a detection routine in accordance with aspects of the present invention.

圖4為根據本發明之態樣的用於偵測第一階指令快取中之惡意碼的方法之流程圖。 4 is a flow chart of a method for detecting a malicious code in a first order instruction cache in accordance with aspects of the present invention.

圖5為包括處理器及記憶體之電腦的方塊圖。 Figure 5 is a block diagram of a computer including a processor and a memory.

詞語「例示性」在本文中用以意謂「充當實例、例子或說明」。本文中描述為「例示性」的任何實施例不必解釋為比其他實施例更佳或更有利。 The word "exemplary" is used herein to mean "serving as an example, instance, or illustration." Any embodiment described herein as "exemplary" is not necessarily to be construed as preferred or advantageous.

參看圖2及圖3,本發明之一態樣可駐留於積體電路210中,其包含:處理器220、具有第一儲存容量之第一階指令快取230及具有大於 第一儲存容量之第二儲存容量的第二階快取240。第一階指令快取耦接於處理器與第二階快取之間,且經組態以儲存第二階快取中所儲存之指令的子集。第二階快取耦接於第一階指令快取與外部記憶體250之間,且經組態以儲存外部記憶體中所儲存之資料及指令的子集。處理器經組態以執行偵測常式300之內部迴圈310,且監視內部迴圈之執行時間以偵測第一階指令快取中之惡意碼。偵測常式指令之總數大於第一儲存容量。在執行期間,內部迴圈需要自第二階快取提取偵測常式指令,且在內部迴圈之執行期間執行的指令之執行數目小於第一儲存容量。 Referring to FIG. 2 and FIG. 3, an aspect of the present invention may reside in the integrated circuit 210, including: a processor 220, a first order instruction cache 230 having a first storage capacity, and having a greater than A second order cache 240 of the second storage capacity of the first storage capacity. The first order instruction cache is coupled between the processor and the second stage cache and configured to store a subset of the instructions stored in the second order cache. The second stage cache is coupled between the first order instruction cache and the external memory 250 and configured to store a subset of the data and instructions stored in the external memory. The processor is configured to execute the internal loop 310 of the detection routine 300 and monitor the execution time of the internal loop to detect the malicious code in the first order instruction cache. The total number of detected routine commands is greater than the first storage capacity. During execution, the internal loop needs to extract the detection routine instruction from the second-order cache, and the number of executions of the instructions executed during the execution of the internal loop is less than the first storage capacity.

在本發明之更詳細態樣中,執行數目可顯著小於第一儲存容量。偵測常式指令可包含一系列類似函式,且該系列類似函式中之至少兩個函式可為不同的。在執行期間,偵測常式300之內部迴圈310可包括基於在偵測常式之執行之前未知的至少一個選擇輸入對至少一個偵測常式指令之選擇。第一階指令快取可包含4千位元組,且執行數目可包含16。 In a more detailed aspect of the invention, the number of executions can be significantly less than the first storage capacity. The detection routine instruction can contain a series of similar functions, and at least two of the similar functions of the series can be different. During execution, the internal loop 310 of the detection routine 300 can include a selection of at least one detection routine command based on at least one selection input that is unknown prior to execution of the detection routine. The first order instruction cache may contain 4 kilobytes and the number of executions may include 16.

進一步參看圖1及圖5,遠端台102可包含:包括處理器510(例如,積體電路210中之處理器220)、儲存媒體520(諸如,記憶體250及/或磁碟機)的電腦500、顯示器530及諸如小鍵盤之輸入裝置540以及無線連接550(諸如,Wi-Fi連接及/或蜂巢式連接)。 With further reference to FIGS. 1 and 5, the remote station 102 can include a processor 510 (eg, processor 220 in integrated circuit 210), a storage medium 520 (such as memory 250 and/or a disk drive). Computer 500, display 530, and input device 540, such as a keypad, and wireless connection 550 (such as a Wi-Fi connection and/or a cellular connection).

進一步參看圖4,本發明之另一態樣可駐留於方法400中,其包含:藉由處理器220執行偵測常式300之內部迴圈310(步驟410)。偵測常式指令之總數大於第一階指令快取230之第一儲存容量。在內部迴圈正執行時,自具有第二儲存容量之第二階快取240提取偵測常式指令,該第二階快取用於儲存外部記憶體250中所儲存之資料及指令的子集。在內部迴圈之執行期間執行的指令之執行數目小於第一儲存容量。該方法進一步包括藉由處理器監視內部迴圈之執行時間以偵測第 一階指令快取中之惡意碼(步驟420)。 With further reference to FIG. 4, another aspect of the present invention can reside in method 400, comprising: performing, by processor 220, internal loop 310 of detection routine 300 (step 410). The total number of detected routine instructions is greater than the first storage capacity of the first order instruction cache 230. When the internal loop is being executed, the detection routine command is extracted from the second-order cache 240 having the second storage capacity, and the second-order cache is used to store the data and instructions stored in the external memory 250. set. The number of executions of instructions executed during execution of the internal loop is less than the first storage capacity. The method further includes monitoring, by the processor, an execution time of the internal loop to detect the The malicious code in the first order instruction cache (step 420).

本發明之另一態樣可駐留於積體電路210中,其包含:用於執行偵測常式300之內部迴圈310的構件(例如,220、510),其中偵測常式指令之總數大於第一階指令快取230之第一儲存容量;用於在內部迴圈正執行時自具有第二儲存容量之第二階快取240提取偵測常式指令的構件(例如,220、510),該第二階快取用於儲存外部記憶體250中所儲存之資料及指令的子集,且其中在內部迴圈之執行期間執行的指令之執行數目小於第一儲存容量;及用於監視內部迴圈之執行時間以偵測第一階指令快取中之惡意碼的構件(例如,220、510)。 Another aspect of the present invention can reside in integrated circuit 210, including: means (eg, 220, 510) for performing internal loop 310 of detection routine 300, wherein the total number of routine instructions is detected a first storage capacity greater than the first-order instruction cache 230; configured to extract a component that detects the routine instruction from the second-order cache 240 having the second storage capacity while the internal loop is being executed (eg, 220, 510) The second-order cache is used to store a subset of the data and instructions stored in the external memory 250, and wherein the number of executions of instructions executed during execution of the internal loop is less than the first storage capacity; A component that monitors the execution time of the internal loop to detect malicious code in the first-order instruction cache (eg, 220, 510).

本發明之另一態樣可駐留於電腦程式產品中,其包含:電腦可讀媒體(例如,250、520),其包含:用於使電腦執行偵測常式300之內部迴圈310的程式碼,其中偵測常式指令之總數大於第一階指令快取230之第一儲存容量,其中在執行期間內部迴圈需要自具有第二儲存容量之第二階快取240提取偵測常式指令,該第二階快取用於儲存外部記憶體250中所儲存之資料及指令的子集,且其中在內部迴圈之執行期間執行的指令之執行數目小於第一儲存容量;及用於使電腦監視內部迴圈之執行時間以偵測第一階指令快取中之惡意碼的程式碼。 Another aspect of the present invention can reside in a computer program product, comprising: a computer readable medium (e.g., 250, 520), comprising: a program for causing a computer to execute an internal loop 310 that detects routine 300 The code, wherein the total number of detection routine instructions is greater than the first storage capacity of the first order instruction cache 230, wherein during execution, the internal loop needs to extract the detection routine from the second order cache 240 having the second storage capacity. The second stage cache is configured to store a subset of the data and instructions stored in the external memory 250, and wherein the number of executions of the instructions executed during execution of the internal loop is less than the first storage capacity; The computer is caused to monitor the execution time of the internal loop to detect the code of the malicious code in the first-order instruction cache.

本發明之一態樣涉及使用善意/誠信碼,亦即,偵測常式300,其防止惡意不快取碼適配於L1快取230中且快速執行(例如,1.6毫秒)。出於可用性及安全性兩個目的,快速執行對於基於軟體之認證(SBA)係合乎需要的。善意碼具有以下特徵:1)善意碼之內部迴圈310為大型的,意謂其並不適配於L1快取中,且因此,執行內部迴圈需要自L2快取240或RAM/次要儲存器提取程式碼;及2)經執行以用於內部迴圈之一個反覆的指令之數目實質上小於適配於L1快取中的指令之數目。 One aspect of the present invention relates to the use of a bona fide/integrity code, i.e., a detection routine 300 that prevents malicious unfavourable fetching from being adapted into the L1 cache 230 and executed quickly (e.g., 1.6 milliseconds). For the purposes of usability and security, fast execution is desirable for software-based authentication (SBA). The good faith code has the following characteristics: 1) The internal loop 310 of the good faith code is large, meaning that it is not suitable for the L1 cache, and therefore, the execution of the internal loop needs to be from the L2 cache 240 or RAM/minor The memory extracts the code; and 2) the number of instructions executed for a rewind of the inner loop is substantially less than the number of instructions adapted to the L1 cache.

此係藉由使用具有善意碼的廣泛分支而獲得,其中分支之一些部 分引起L1快取未命中,此係因為可叉出分支至內部迴圈310內之所有程式碼無法適配於L1快取230中。只要不同分支含有充分不同的程式碼(諸如,不同運算或位移)而不引起與解壓縮相關之延遲,善意碼便無法以適配於L1快取中之方式壓縮或表示。因此,嘗試執行相同計算任務之惡意碼將歸因於解壓縮而耗費顯著較長時間來執行或歸因於快取未命中而耗費較長時間來執行。此係因為善意碼可儲存於L1快取及L2快取兩者中,其中當存在L1快取未命中時,事物自L2載入至L1;然而,惡意碼希望避免使用L2,且任何L1快取未命中將因此導致解壓縮(其耗費長時間)或自DRAM或其他慢速儲存器提取資料(其亦耗費長時間。)此結構與其他管線/提取失敗結構之組合保證不快取攻擊無法在不被偵測到的情況下進行。 This is achieved by using a broad branch with a good faith code, some of which are branches The minute causes the L1 cache miss to occur because all of the code that can be forked out to the inner loop 310 cannot be adapted to the L1 cache 230. As long as the different branches contain sufficiently different code (such as different operations or shifts) without causing delays associated with decompression, the good faith code cannot be compressed or represented in a manner that is adapted to the L1 cache. Therefore, a malicious code attempting to perform the same computing task will take a significant amount of time to perform or be attributed to a cache miss due to decompression and take a long time to execute. This is because the good faith code can be stored in both the L1 cache and the L2 cache. When there is an L1 cache miss, things are loaded from L2 to L1; however, the malicious code wants to avoid using L2, and any L1 is fast. Taking a miss will result in decompression (which takes a long time) or extracting data from DRAM or other slow storage (which also takes a long time.) The combination of this structure with other pipeline/extraction failure structures ensures that the fast-attack attack cannot be Not carried out without being detected.

善意碼之實例可包括一系列類似(或等效)但不同的函式(互斥或(XOR)、位元旋轉、加成及交換等),該等函式可需要6千位元組,而L1指令快取之容量可為4千位元組,亦即,善意碼可為L1指令快取之大小的大約150%。善意碼可僅執行(例如)16個步驟,但在每一步驟,其基於條件1、2…N(其為未知的直至執行期間)而不可預測地選擇新函式(例如,F1、F2…FN)。因此,在每一步驟,存在快取未命中之改變,其無法由惡意不快取碼預測/避免。對於善意碼,快取未命中將引起較小延遲,此係因為用於新函式之程式碼係自L2快取存取(或分頁)。然而,在惡意不快取碼存在情況下的快取未命中將引起對外部記憶體250(例如,RAM或次要儲存器(諸如,磁碟機或其類似者))之存取,其耗費更長時間來存取。因此,歸因於更長執行時間的延遲允許偵測惡意碼之存在。 Examples of good faith codes may include a series of similar (or equivalent) but different functions (mutual exclusion or (XOR), bit rotation, addition and exchange, etc.), which may require 6 kilobytes. The capacity of the L1 instruction cache can be 4 kilobytes, that is, the good faith code can be about 150% of the size of the L1 instruction cache. The bona fide code may only perform, for example, 16 steps, but at each step it unpredictably selects a new function based on conditions 1, 2...N (which is unknown until the execution period) (eg, F1, F2... FN). Therefore, at each step, there is a change in cache miss that cannot be predicted/avoided by malicious unpleasant fetching. For a good faith code, a cache miss will cause a small delay because the code for the new function is accessed (or paged) from the L2 cache. However, a cache miss in the presence of malicious unpleasant fetching will result in access to external memory 250 (eg, RAM or secondary storage (such as a disk drive or the like), which is more expensive. Access for a long time. Therefore, delays due to longer execution times allow the detection of the presence of malicious code.

每一函式可包含運算及運算元,諸如XOR 3076或AND Z。一階快取亦可包括L1資料快取260。 Each function can contain arithmetic and arithmetic elements, such as XOR 3076 or AND Z. The first-order cache may also include an L1 data cache 260.

偵測常式300之善意碼亦可包括共同指令以載入具有在執行階段 已知之內容的暫存器(步驟320)。視情況,暫存器內容可包括處理暫存器內容之步驟(步驟330)。共同程式碼可包括跳轉指令,該跳轉指令叉出分支至基於暫存器內容或狀態之位置或程式碼路徑(步驟340)。每一程式碼路徑可包含另外6個位元組之序列(350、360…),包括至共同部分之開始的跳轉370。共同部分可包括至退出迴圈310之分支的繼續步驟(步驟380)或在完成後返回(步驟390)。因此,在此實例中,可存在1000個分支路徑,每一者為6位元組長,從而產生用於偵測常式之大約6千位元組。共同程式碼可包含大約10位元組。 The goodwill code of the detection routine 300 may also include a common instruction to load with the execution phase A register of known content (step 320). Optionally, the scratchpad content can include the step of processing the scratchpad content (step 330). The common code may include a jump instruction that branches out to a location or code path based on the contents or state of the scratchpad (step 340). Each code path may contain a sequence of additional 6 bytes (350, 360...), including a jump 370 to the beginning of the common portion. The common portion may include a continuation step to exit the branch of loop 310 (step 380) or return upon completion (step 390). Thus, in this example, there may be 1000 branch paths, each of which is 6 bytes long, resulting in approximately 6 kilobytes for detecting the normal. The common code can contain approximately 10 bytes.

所揭示之技術抵制繞過L2快取之攻擊,且直接應用於作用中惡意程式碼之偵測(包括作用中行動惡意程式碼)。作為一實例,駐留於記憶體250及L1指令快取230中但不駐留於L2快取240中之惡意碼可計算關於駐留在L2快取中之無害或誠信碼的總和檢查碼,且返回彼總和檢查碼以避免偵測。藉由迫使惡意碼駐留於L2快取中(自總和檢查碼偵測)或引起顯著延遲之記憶體(若其實行)中(自執行時間偵測),則惡意碼無法隱藏。 The disclosed technique resists attacks that bypass the L2 cache and is directly applied to the detection of malicious code in action (including active malicious code in action). As an example, a malicious code residing in memory 250 and L1 instruction cache 230 but not resident in L2 cache 240 may calculate a sum check code for a harmless or integrity code residing in L2 cache and return to The sum check code avoids detection. The malicious code cannot be hidden by forcing the malicious code to reside in the L2 cache (from the sum check code detection) or the memory causing the significant delay (if it is implemented) (self-execution time detection).

前述描述亦適用於具有兩個以上階層之快取階層架構,或更一般而言,適用於具有三個以上階層之記憶體階層架構,且其中善意碼經組態以使用可用階層之子集,且目標為偵測惡意碼是否使用可用階層之另一集合。 The foregoing description also applies to a cache hierarchy having more than two levels, or more generally, to a memory hierarchy having more than three levels, and wherein the good faith code is configured to use a subset of the available levels, and The goal is to detect if the malicious code uses another set of available classes.

參看圖1,無線遠端台(RS)102可與無線通信系統100之一或多個基地台(BS)104通信。RS可為行動台。無線通信系統100可進一步包括一或多個基地台控制器(BSC)106,及核心網路108。核心網路可經由合適回程連接至網際網路110及公眾交換電話網路(PSTN)112。典型無線行動台可包括手持型電話或膝上型電腦。無線通信系統100可使用多種多重存取技術中之任一者,諸如分碼多重存取(CDMA)、分時多重存取(TDMA)、分頻多重存取(FDMA)、分域多重存取 (SDMA)、分極多重存取(polarization division multiple access,PDMA)或此項技術中已知之其他調變技術。 Referring to FIG. 1, a wireless remote station (RS) 102 can communicate with one or more base stations (BS) 104 of a wireless communication system 100. The RS can be a mobile station. The wireless communication system 100 can further include one or more base station controllers (BSCs) 106, and a core network 108. The core network can be connected to the Internet 110 and the Public Switched Telephone Network (PSTN) 112 via a suitable backhaul. A typical wireless mobile station can include a handheld phone or a laptop. The wireless communication system 100 can use any of a variety of multiple access technologies, such as code division multiple access (CDMA), time division multiple access (TDMA), frequency division multiple access (FDMA), and multiple domain multiple access. (SDMA), polarization division multiple access (PDMA) or other modulation techniques known in the art.

熟習此項技術者將理解,可使用多種不同技藝及技術中之任一者表示資訊及信號。舉例而言,可由電壓、電流、電磁波、磁場或磁粒子、光場或光粒子或其任何組合表示貫穿以上描述所參考的資料、指令、命令、資訊、信號、位元、符號及碼片。 Those skilled in the art will appreciate that information and signals may be represented using any of a variety of different techniques and techniques. For example, the materials, instructions, commands, information, signals, bits, symbols, and chips referred to in the above description may be represented by voltages, currents, electromagnetic waves, magnetic fields or magnetic particles, light fields or light particles, or any combination thereof.

熟習此項技術者將進一步瞭解,結合本文中所揭示之實施例而描述之各種說明性邏輯區塊、模組、電路及演算法步驟可經實施為電子硬體、電腦軟體或兩者之組合。為了清楚地說明硬體與軟體之此可互換性,上文已大體上在功能性方面描述了各種說明性組件、區塊、模組、電路及步驟。將此功能性實施為硬體抑或軟體取決於特定應用及強加於整個系統上之設計約束。熟習此項技術者可針對每一特定應用以變化之方式實施所描述功能性,但此等實施決策不應被解譯為造成對本發明之範疇的脫離。 Those skilled in the art will further appreciate that the various illustrative logical blocks, modules, circuits, and algorithm steps described in connection with the embodiments disclosed herein can be implemented as an electronic hardware, a computer software, or a combination of both. . To clearly illustrate this interchangeability of hardware and software, various illustrative components, blocks, modules, circuits, and steps have been described above generally in terms of functionality. Implementing this functionality as hardware or software depends on the particular application and design constraints imposed on the overall system. Those skilled in the art can implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as a departure from the scope of the invention.

可藉由一般用途處理器、數位信號處理器(DSP)、特殊應用積體電路(ASIC)、場可程式化閘陣列(FPGA)或其他可程式化邏輯器件、離散閘或電晶體邏輯、離散硬體組件或其經設計以執行本文中所描述之功能之任何組合來實施或執行結合本文所揭示之實施例而描述的各種說明性邏輯區塊、模組及電路。一般用途處理器可為微處理器,但在替代例中,處理器可為任何習知處理器、控制器、微控制器或狀態機。處理器亦可實施為計算器件之組合,例如,DSP與微處理器之組合、複數個微處理器、結合DSP核心之一或多個微處理器,或任一其他此組態。 Can be used by general purpose processors, digital signal processors (DSPs), special application integrated circuits (ASICs), field programmable gate arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic, discrete The hardware components or any combination thereof designed to perform any of the functions described herein implement or perform the various illustrative logic blocks, modules, and circuits described in connection with the embodiments disclosed herein. A general purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller or state machine. The processor can also be implemented as a combination of computing devices, such as a combination of a DSP and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a DSP core, or any other such configuration.

結合本文中所揭示之實施例而描述之方法或演算法的步驟可直接體現於硬體中、由處理器執行之軟體模組中,或兩者之組合中。軟體模組可駐留於RAM記憶體、快閃記憶體、ROM記憶體、EPROM記憶 體、EEPROM記憶體、暫存器、硬碟、抽取式磁碟、CD-ROM,或此項技術中已知之任何其他形式之儲存媒體中。例示性儲存媒體耦接至處理器,使得處理器可自儲存媒體讀取資訊及將資訊寫入至儲存媒體。在替代例中,儲存媒體可整合至處理器。處理器及儲存媒體可駐留於ASIC中。ASIC可駐留於使用者終端機中。在替代例中,處理器及儲存媒體可作為離散組件駐留於使用者終端機中。 The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in the hardware, in a software module executed by a processor, or in a combination of the two. The software module can reside in RAM memory, flash memory, ROM memory, EPROM memory Body, EEPROM memory, scratchpad, hard drive, removable disk, CD-ROM, or any other form of storage medium known in the art. The exemplary storage medium is coupled to the processor such that the processor can read information from the storage medium and write the information to the storage medium. In the alternative, the storage medium can be integrated into the processor. The processor and the storage medium can reside in an ASIC. The ASIC can reside in the user terminal. In the alternative, the processor and the storage medium may reside as discrete components in the user terminal.

在一或多個例示性實施例中,可以硬體、軟體、韌體或其任何組合來實施所描述之功能。若作為電腦程式產品而以軟體來實施,則該等功能可作為一或多個指令或程式碼而儲存於電腦可讀媒體上或經由電腦可讀媒體傳輸。電腦可讀媒體包括非暫時性電腦儲存媒體以及包括促進將電腦程式自一處傳送至另一處之任何媒體的通信媒體兩者。儲存媒體可為可由電腦存取之任何可用媒體。藉由實例且並非限制,此等電腦可讀媒體可包含RAM、ROM、EEPROM、CD-ROM或其他光碟儲存器、磁碟儲存器或其他磁性儲存器件,或可用以攜載或儲存呈指令或資料結構之形式之所要程式碼且可由電腦存取的任何其他媒體。又,將任何連接適當地稱為電腦可讀媒體。舉例而言,若使用同軸纜線、光纖纜線、雙絞線、數位用戶線(DSL)或諸如紅外線、無線電及微波之無線技術而自網站、伺服器或其他遠端源傳輸軟體,則同軸纜線、光纖纜線、雙絞線、DSL或諸如紅外線、無線電及微波之無線技術包括於媒體之定義中。如本文中所使用,磁碟及光碟包括緊密光碟(CD)、雷射光碟、光學光碟、數位影音光碟(DVD)、軟碟及藍光光碟,其中磁碟通常以磁性方式再生資料,而光碟藉由雷射以光學方式再生資料。以上各物之組合亦應包括於電腦可讀媒體之範疇內。 In one or more exemplary embodiments, the functions described may be implemented in hardware, software, firmware, or any combination thereof. If implemented as a computer program product, the functions may be stored as one or more instructions or code on a computer readable medium or transmitted through a computer readable medium. Computer-readable media includes both non-transitory computer storage media and communication media including any medium that facilitates transfer of the computer program from one location to another. The storage medium can be any available media that can be accessed by a computer. By way of example and not limitation, such computer-readable media may comprise RAM, ROM, EEPROM, CD-ROM or other optical disk storage, disk storage or other magnetic storage device, or may be used to carry or store instructions or Any other medium in the form of a data structure that is to be accessed by a computer. Also, any connection is properly termed a computer-readable medium. For example, if you use a coaxial cable, fiber optic cable, twisted pair cable, digital subscriber line (DSL), or wireless technology such as infrared, radio, and microwave to transmit software from a website, server, or other remote source, then coaxial Cables, fiber optic cables, twisted pair, DSL, or wireless technologies such as infrared, radio, and microwave are included in the definition of the media. As used herein, magnetic disks and optical disks include compact discs (CDs), laser compact discs, optical compact discs, digital audio and video discs (DVDs), floppy discs, and Blu-ray discs, where the discs are typically magnetically regenerated and the discs are borrowed. The material is optically reproduced by laser. Combinations of the above should also be included in the context of computer readable media.

提供所揭示之實施例的先前描述以使任何熟習此項技術者能夠製作或使用本發明。熟習此項技術者將容易地顯而易見對此等實施例之各種修改,且可在不脫離本發明之精神或範疇的情況下將本文中所界 定的一般原理應用於其他實施例。因此,本發明並不意欲限於本文中所展示之實施例,而應符合與本文中所揭示之原理及新穎特徵相一致的最廣泛範疇。 The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the invention. Various modifications to the embodiments of the invention will be readily apparent to those skilled in the <RTIgt; The general principles of the application apply to other embodiments. Therefore, the present invention is not intended to be limited to the embodiments shown herein, but the broadest scope of the principles and novel features disclosed herein.

210‧‧‧積體電路 210‧‧‧ integrated circuit

220‧‧‧處理器/構件 220‧‧‧Processors/components

230‧‧‧第一階指令快取 230‧‧‧first order instruction cache

240‧‧‧第二階快取 240‧‧‧second-order cache

250‧‧‧外部記憶體/電腦可讀媒體 250‧‧‧External memory/computer readable media

260‧‧‧L1資料快取 260‧‧‧L1 data cache

Claims (19)

一種積體電路,其包含:一處理器;一第一階指令快取,其具有一第一儲存容量;及一第二階快取,其具有大於該第一儲存容量之一第二儲存容量;該第一階指令快取耦接於該處理器與該第二階快取之間,該第一階指令快取經組態以儲存該第二階快取中所儲存之指令的一子集,該第二階快取耦接於該第一階指令快取與一外部記憶體之間,該第二階快取經組態以儲存該外部記憶體中所儲存之資料及指令的一子集,且該處理器經組態以執行一偵測常式之一內部迴圈,且監視該內部迴圈之一執行時間以偵測該第一階指令快取中之惡意碼,其中偵測常式指令之一總數大於該第一儲存容量,其中在執行期間該內部迴圈需要自該第二階快取提取偵測常式指令,且其中在該內部迴圈之執行期間執行的指令之一執行數目小於該第一儲存容量。 An integrated circuit comprising: a processor; a first order instruction cache having a first storage capacity; and a second order cache having a second storage capacity greater than the first storage capacity The first-order instruction cache is coupled between the processor and the second-order cache, and the first-order instruction cache is configured to store a subset of the instructions stored in the second-order cache The second-order cache is coupled between the first-order instruction cache and an external memory, and the second-order cache is configured to store a subset of the data and instructions stored in the external memory. And the processor is configured to perform an internal loop of one of the detection routines, and monitor an execution time of the internal loop to detect the malicious code in the first-order instruction cache, wherein the detection is often The total number of one of the instructions is greater than the first storage capacity, wherein the internal loop needs to extract the detection routine instruction from the second-order cache during execution, and wherein one of the instructions executed during execution of the internal loop The number of executions is less than the first storage capacity. 如請求項1之積體電路,其中該執行數目顯著小於該第一儲存容量。 The integrated circuit of claim 1, wherein the number of executions is significantly smaller than the first storage capacity. 如請求項1之積體電路,其中該等偵測常式指令包含一系列類似函式,且其中該系列類似函式中之至少兩個函式為不同的。 The integrated circuit of claim 1, wherein the detection routines comprise a series of similar functions, and wherein at least two of the series of similar functions are different. 如請求項1之積體電路,其中在執行期間,該偵測常式之該內部迴圈包括基於在該偵測常式之該執行之前未知的至少一個選擇 輸入對至少一個偵測常式指令之一選擇。 The integrated circuit of claim 1, wherein during execution, the internal loop of the detection routine includes at least one selection based on an unknown before the execution of the detection routine The input selects one of at least one detection routine instruction. 一種方法,其包含:藉由一處理器執行一偵測常式之一內部迴圈,其中偵測常式指令之一總數大於一第一階指令快取之一第一儲存容量;及在該內部迴圈正執行時自具有一第二儲存容量之一第二階快取提取偵測常式指令,該第二階快取用於儲存一外部記憶體中所儲存之資料及指令的一子集,其中在該內部迴圈之執行期間執行的指令之一執行數目小於該第一儲存容量;及藉由該處理器監視該內部迴圈之一執行時間以偵測該第一階指令快取中之惡意碼。 A method includes: performing, by a processor, an internal loop of one of the detection routines, wherein the total number of the detected routine instructions is greater than a first storage capacity of the first order instruction cache; and When the internal loop is being executed, the second-order cache extracts a detection routine command having a second storage capacity, and the second-order cache is used to store a piece of data and instructions stored in an external memory. The set, wherein the number of executions of one of the instructions executed during execution of the internal loop is less than the first storage capacity; and the processor monitors one of the internal loop execution times to detect the first order instruction cache The malicious code in the middle. 如請求項5之方法,其中該執行數目顯著小於該第一儲存容量。 The method of claim 5, wherein the number of executions is significantly less than the first storage capacity. 如請求項5之方法,其中該等偵測常式指令包含一系列類似函式,且其中該系列類似函式之至少兩個函式為不同的。 The method of claim 5, wherein the detected routine instructions comprise a series of similar functions, and wherein at least two functions of the series of similar functions are different. 如請求項5之方法,其中該偵測常式之該內部迴圈在經執行時包括基於在該偵測常式之該執行之前未知的至少一個選擇輸入對至少一個偵測常式指令之一選擇。 The method of claim 5, wherein the internal loop of the detection routine includes, when executed, one of at least one detection routine command based on at least one selection input unknown prior to the execution of the detection routine select. 如請求項5之方法,其中該第二儲存容量大於該第一儲存容量且該第一階指令快取儲存該第二階快取中所儲存之指令的一子集,其中該第一階指令快取耦接於該處理器與該第二階快取之間,且第二階快取耦接於該第一階指令快取與該外部記憶體之間。 The method of claim 5, wherein the second storage capacity is greater than the first storage capacity and the first-order instruction cache stores a subset of the instructions stored in the second-order cache, wherein the first-order instruction The cache is coupled between the processor and the second-order cache, and the second-stage cache is coupled between the first-order instruction cache and the external memory. 一種積體電路,其包含:用於執行一偵測常式之一內部迴圈的構件,其中偵測常式指令之一總數大於一第一階指令快取之一第一儲存容量;用於在該內部迴圈正執行時自具有一第二儲存容量之一第二階快取提取偵測常式指令的構件,該第二階快取用於儲存一外 部記憶體中所儲存之資料及指令的一子集,其中在該內部迴圈之執行期間執行的指令之一執行數目小於該第一儲存容量;及用於監視該內部迴圈之一執行時間以偵測該第一階指令快取中之惡意碼的構件。 An integrated circuit, comprising: a component for performing an internal loop of a detection routine, wherein a total number of detection routines is greater than a first storage capacity of a first order instruction cache; Extracting a component detecting a normal command from a second-order cache having a second storage capacity while the internal loop is being executed, the second-order cache being used to store an outer a subset of the data and instructions stored in the memory, wherein the number of executions of one of the instructions executed during execution of the internal loop is less than the first storage capacity; and for monitoring one of the internal loop execution times The component for detecting the malicious code in the first-order instruction cache. 如請求項10之積體電路,其中該執行數目顯著小於該第一儲存容量。 The integrated circuit of claim 10, wherein the number of executions is significantly less than the first storage capacity. 如請求項10之積體電路,其中該等偵測常式指令包含一系列類似函式,且其中該系列類似函式中之至少兩個函式為不同的。 The integrated circuit of claim 10, wherein the detection routines comprise a series of similar functions, and wherein at least two of the series of similar functions are different. 如請求項10之積體電路,其中在執行期間該偵測常式之該內部迴圈包括基於在該偵測常式之該執行之前未知的至少一個選擇輸入對至少一個偵測常式指令之一選擇。 The integrated circuit of claim 10, wherein the internal loop of the detection routine during execution includes at least one selection input unknown to the at least one detection routine command prior to the execution of the detection routine A choice. 如請求項10之積體電路,其中該第二儲存容量大於該第一儲存容量,且該第一階指令快取儲存該第二階快取中所儲存之指令的一子集。 The integrated circuit of claim 10, wherein the second storage capacity is greater than the first storage capacity, and the first-order instruction cache stores a subset of the instructions stored in the second-order cache. 一種電腦程式產品,其包含:電腦可讀媒體,其包含:用於使一電腦執行一偵測常式之一內部迴圈的程式碼,其中偵測常式指令之一總數大於一第一階指令快取之一第一儲存容量,其中在執行期間該內部迴圈需要自具有一第二儲存容量之一第二階快取提取偵測常式指令,該第二階快取用於儲存一外部記憶體中所儲存之資料及指令的一子集,且其中在該內部迴圈之執行期間執行的指令之一執行數目小於該第一儲存容量;及用於使該電腦監視該內部迴圈之一執行時間以偵測該第一階指令快取中之惡意碼的程式碼。 A computer program product comprising: a computer readable medium, comprising: a code for causing a computer to execute an internal loop of a detection routine, wherein the total number of detection routines is greater than a first order The instruction cache is a first storage capacity, wherein during the execution, the internal loop needs to extract a detection routine command from a second-order cache having a second storage capacity, and the second-order cache is used to store one a subset of the data and instructions stored in the external memory, and wherein the number of executions of one of the instructions executed during execution of the internal loop is less than the first storage capacity; and for causing the computer to monitor the internal loop One execution time is to detect the code of the malicious code in the first-order instruction cache. 如請求項15之電腦程式產品,其中該執行數目顯著小於該第一 儲存容量。 The computer program product of claim 15, wherein the number of executions is significantly less than the first Storage capacity. 如請求項15之電腦程式產品,其中該執行數目小於該第一儲存容量。 The computer program product of claim 15, wherein the number of executions is less than the first storage capacity. 如請求項15之電腦程式產品,其中該偵測常式之該內部迴圈在經執行時包括基於在該偵測常式之該執行之前未知的至少一個選擇輸入對至少一個偵測常式指令之一選擇。 The computer program product of claim 15, wherein the internal loop of the detection routine includes, when executed, at least one selection input based on the at least one selection input unknown before the execution of the detection routine One choice. 如請求項15之電腦程式產品,其中該第二儲存容量大於該第一儲存容量,且該第一階指令快取儲存該第二階快取中所儲存之指令的一子集,其中該第一階指令快取耦接於一處理器與該第二階快取之間,且第二階快取耦接於該第一階指令快取與該外部記憶體之間。 The computer program product of claim 15, wherein the second storage capacity is greater than the first storage capacity, and the first-order instruction cache stores a subset of the instructions stored in the second-order cache, wherein the first The first order instruction cache is coupled between the first stage cache and the second stage cache, and the second stage cache is coupled between the first order instruction cache and the external memory.
TW104128496A 2014-09-22 2015-08-28 Integrated circuit, method and computer program product for detection of malicious code in a first level instruction cache TWI680371B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US14/493,306 US9465938B2 (en) 2014-09-22 2014-09-22 Integrated circuit and method for detection of malicious code in a first level instruction cache
US14/493,306 2014-09-22

Publications (2)

Publication Number Publication Date
TW201626235A true TW201626235A (en) 2016-07-16
TWI680371B TWI680371B (en) 2019-12-21

Family

ID=54012356

Family Applications (1)

Application Number Title Priority Date Filing Date
TW104128496A TWI680371B (en) 2014-09-22 2015-08-28 Integrated circuit, method and computer program product for detection of malicious code in a first level instruction cache

Country Status (9)

Country Link
US (1) US9465938B2 (en)
EP (1) EP3198451A1 (en)
JP (1) JP6199528B1 (en)
KR (1) KR101729215B1 (en)
CN (1) CN107077424B (en)
AU (1) AU2015321998A1 (en)
BR (1) BR112017005791A2 (en)
TW (1) TWI680371B (en)
WO (1) WO2016048548A1 (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9607152B1 (en) * 2015-05-20 2017-03-28 Symantec Corporation Detect encrypted program based on CPU statistics
US10705590B2 (en) 2017-11-28 2020-07-07 Google Llc Power-conserving cache memory usage
CA3088604A1 (en) * 2018-01-08 2019-07-11 Digital Immunity, Inc. Systems and methods for detecting and mitigating code injection attacks
WO2020068988A1 (en) * 2018-09-25 2020-04-02 Synopsys, Inc. Hardware simulation systems and methods for identifying state-holding loops and oscillating loops

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7130981B1 (en) * 2004-04-06 2006-10-31 Symantec Corporation Signature driven cache extension for stream based scanning
EP1870814B1 (en) * 2006-06-19 2014-08-13 Texas Instruments France Method and apparatus for secure demand paging for processor devices
US7590813B1 (en) * 2004-08-09 2009-09-15 Symantec Corporation Cache scanning system and method
US8949989B2 (en) 2009-08-17 2015-02-03 Qualcomm Incorporated Auditing a device
US20110197256A1 (en) 2009-12-18 2011-08-11 Assured Information Security, Inc. Methods for securing a processing system and devices thereof
US9098700B2 (en) 2010-03-01 2015-08-04 The Trustees Of Columbia University In The City Of New York Systems and methods for detecting attacks against a digital circuit
US8595510B2 (en) * 2011-06-22 2013-11-26 Media Patents, S.L. Methods, apparatus and systems to improve security in computer systems
US8839429B2 (en) * 2011-11-07 2014-09-16 Qualcomm Incorporated Methods, devices, and systems for detecting return-oriented programming exploits
US9043559B2 (en) * 2012-10-23 2015-05-26 Oracle International Corporation Block memory engine with memory corruption detection
US8959576B2 (en) * 2013-03-14 2015-02-17 Intel Corporation Method, apparatus, system for qualifying CPU transactions with security attributes
US9424200B2 (en) * 2013-03-15 2016-08-23 Freescale Semiconductor, Inc. Continuous run-time integrity checking for virtual memory

Also Published As

Publication number Publication date
BR112017005791A2 (en) 2018-01-09
US9465938B2 (en) 2016-10-11
CN107077424B (en) 2018-09-25
CN107077424A (en) 2017-08-18
KR101729215B1 (en) 2017-04-21
EP3198451A1 (en) 2017-08-02
JP2017531253A (en) 2017-10-19
JP6199528B1 (en) 2017-09-20
KR20170034914A (en) 2017-03-29
AU2015321998A1 (en) 2017-03-02
TWI680371B (en) 2019-12-21
WO2016048548A1 (en) 2016-03-31
US20160085968A1 (en) 2016-03-24

Similar Documents

Publication Publication Date Title
EP3502943A1 (en) Method and system for generating cognitive security intelligence for detecting and preventing malwares
TWI680371B (en) Integrated circuit, method and computer program product for detection of malicious code in a first level instruction cache
KR102534334B1 (en) Detection of software attacks on processes in computing devices
US9152788B2 (en) Detecting a malware process
US8615806B2 (en) Apparatus and method for detecting a code injection attack
US20120159628A1 (en) Malware detection apparatus, malware detection method and computer program product thereof
US20150220736A1 (en) Continuous Memory Tamper Detection Through System Management Mode Integrity Verification
CN108509791B (en) Method for detecting processor, detection device and detection system
US11347839B2 (en) Techniques for control flow protection
KR20150059564A (en) Method for integrity verification of electronic device, machine-readable storage medium and electronic device
US10326453B2 (en) Monotonic counter and method of operating a monotonic counter
US20190018962A1 (en) System and method for validating in-memory integrity of executable files to identify malicious activity
US20150163233A1 (en) Method And Apparatus For Scanning Files
WO2019019713A1 (en) Method for detecting memory leak of application program, and terminal and readable storage medium
US9965620B2 (en) Application program interface (API) monitoring bypass
JP2016212864A (en) Memory management system, method, and computer program
KR20140139752A (en) Method and apparatus for detecting rooting
US11914724B2 (en) Systems and methods for adjusting data protection levels based on system metadata
US20180247088A1 (en) Unique hardware fingerprint device and method
US20150212569A1 (en) User space based performance state switching of a processor of a data processing device
US10853462B2 (en) Authorizing file access with user I/O and hardware usage patterns
US10776490B1 (en) Verifying an operating system during a boot process using a loader
US11809550B2 (en) Electronic device and control method therefor
WO2017016068A1 (en) Method for application synchronization during multi-domain switching and user terminal
US20140283024A1 (en) Method for efficient behavioral analysis on a mobile station